The BIG-IP Core implementation providing user access control intermediary services must provide the capability for users to directly initiate a session lock.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-60319	F5BI-LT-000143	SV-74749r1_rule		Medium

Description
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, network elements need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity. This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Description

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, network elements need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity. This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

STIG	Date
F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide	2015-06-02

Details

Check Text ( C-61241r1_chk )
If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable. When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows: Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy that provides the capability for users to directly initiate a session lock. Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab. Select Virtual Servers(s) from the list to verify. Verify under "Access Policy" section that "Access Policy" has been set to use an APM access policy that provides the capability for users to directly initiate a session lock. If the BIG-IP Core is not configured to provide the capability for users to directly initiate a session lock, this is a finding.

Check Text ( C-61241r1_chk )

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable.

When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows:

Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy that provides the capability for users to directly initiate a session lock.

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select Virtual Servers(s) from the list to verify.

Verify under "Access Policy" section that "Access Policy" has been set to use an APM access policy that provides the capability for users to directly initiate a session lock.

If the BIG-IP Core is not configured to provide the capability for users to directly initiate a session lock, this is a finding.

Fix Text (F-65933r1_fix)
If user access control intermediary services are provided, configure the BIG-IP Core as follows: Configure a policy in the BIG-IP APM module to provide the capability for users to directly initiate a session lock. Apply APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to provide the capability for users to directly initiate a session lock.